I
I
IvanIF2021-01-30 16:28:08
Access rights
IvanIF, 2021-01-30 16:28:08

Why is permission 777 for a folder on the server dangerous?

On my site, I have the ability to upload files to the server by users. The files are uploaded to the avatars and photos directories . Accordingly, I gave these folders permissions 777. Why is this dangerous? After all, when uploading, I check the file for extension and content. In addition, these directories contain .htaccess files with the following content (this prohibits the execution of scripts from this directory):

php_flag engine 0
RemoveHandler .phtml .php .php2 .php3 .php4 .php5 .php7 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .htm .html
AddType text/plain .phtml .php .php2 .php3 .php4 .php5 .php6 .php7 .phps .cgi .pl .asp .aspx .shtml .shtm .fcgi .fpl .htm .html .jsp

Answer the question

In order to leave comments, you need to log in

5 answer(s)
C
CityCat4, 2021-01-30
@CityCat4

For the same reason that it is dangerous for a girl to walk around the city one night in a short skirt in a short skirt - they can commit various indecencies without even asking for a name :)

M
m0ze, 2021-01-31
@m0ze

Check check strife - this time. Two - you can try loading the .htaccess file, overwriting the current one. This is what I mean, it’s definitely not worth relying only on your code and the implemented check, especially with a crutch like a .htaccess file.

Yes, but if you set permissions to 755 for example, then the files stop loading. How then to be?

Change the owner of the directories / files to the user under which the web server is running, then the rights 755 will start working.
Accordingly, I gave these folders permissions 777. Why is this dangerous?

Each of the sevens is responsible for the rights of the owner (user), group and others. The rights are read ( read - 4), write ( write - 2) and execute ( ex ecute - 1). That is, rights 777 grant all privileges (read, write, execute > 4 + 2 + 1 = 7) to the owner (7), group (7) and other users (7), which is obviously unsafe.

A
Alexander, 2021-01-30
@AleksandrB

Now imagine that someone found a vulnerability in your code that calls a command in the console (exec() for example) and now he can go into this folder and delete everything he needs.
Or one of your users was hacked.
By and large, folder permissions are the next level of protection if the first one doesn't work.

M
mureevms, 2021-01-30
@mureevms

It is dangerous only because if the server is broken from any user, then he will be able to modify files in all directories with 777 rights.

K
Karpion, 2021-01-31
@Karpion

It is not clear whether users are system users (logged into the system) or site users.
If the users are system users, then they must be included in the group and only this group (and possibly the owner) should be given write access to these folders.
If users are site users, then download requests are performed on behalf of some user. It is necessary to give access only to write access to these folders only to this user.
There is such a good rule:
" Never give rights more than necessary." .
Because additional rights will not be useful, because they are not needed; but they can easily bring problems.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question